7 Easy Ways to Secure a WordPress Website from Hackers

WordPress is a powerful tool that can make website management simple. But because so many websites run on WordPress, it makes the platform a target for hackers. Using bots and other automation methods, hackers can do a great deal of damage to many websites in a short time.

It’s tempting to launch a new website on WordPress and just let it start doing its work. Instead, pause and take the time to ensure you have secured your website from hackers by following the 7 easy steps listed below.

But before we start, let’s first look at some numbers!

Why Does this Matter?

Security researchers like Patchstack and Sucuri say most WordPress hacks don’t happen because WordPress itself is “broken.” The bigger problem is usually the extra plugins people install.

Here’s how the vulnerabilities break down:

• Plugins: about 92.81%
• Themes: about 6.61%
• WordPress core: about 0.58%

Here are a few common reasons WordPress sites get compromised:

Outdated software

More than 60% of hacked WordPress sites were running an old version of WordPress when the breach happened.

Weak passwords

About 8% of WordPress breaches happen because attackers use brute-force attacks until they crack a weak password, or they get in with a default admin login that was never changed.

Vulnerable plugins

In 2024, known WordPress vulnerabilities jumped by 34%, with close to 8,000 new issues found in plugins and themes.

Bot traffic

By 2025, bots made up about 51% of all web traffic.

1. Stop user enumeration

If your usernames are visible on your WordPress website, hackers can use those public usernames to gain access to your website’s login page. All a hacker has to do is add
?author=1 at the end of your URL, and they’ll be able to see the username for the author of that post.

A hacker can use a script to find all author usernames for your website, which opens you up to so many security risks.

This is called user enumeration because the hacker uses the username’s ID number to learn the username. There is a way to prevent user enumeration.

Follow these easy steps.

1. In the first step, we will rename our display name. To do this, click on the WordPress username in the top right corner.

2. Now, we will make your usernames different from your display names. To do this, scroll down and change the Nickname to something else, and in the Display name public as section, select the nickname you just picked and click save.

This step prevents hackers from seeing your username listed on the page, but it will still show in the URL if you don’t take the next step.

3. Install and activate the Stop User Enumeration plugin.

If you go to Settings in the WordPress dashboard, then click on  Stop User Enumeration, you will see the plugin settings. By default, everything should be checked in the settings; you don’t need to do anything here. Just install, activate, clear cache, and that’s it!

Let’s test. Open a private browser and type your URL and add this code at the end ?author=1

Example: 
https://yourdomain.com/?author=1

You should get a forbidden message like below.

2. Rename the table prefix during installation

The default WordPress table prefix is always wp_, and because hackers are well aware of this default, they write scripts and create bots that attack this table naming convention.

You can prevent automated attacks by giving your tables a unique prefix that these bots and scripts cannot attack because the table does not exist in the same name as they are searching for.

During the installation, you can easily change the default table prefix as illustrated in the screenshot below.

Note: Some hosts, like GoDaddy and Amberd Hosting, do this automatically. If you are on these platforms and have a Managed WordPress hosting package, you do not have to worry about this, but it is always best to double-check.

To keep your files easy to read and sorted by name, you can add your own characters to the end of the wp_ prefix.

This can be a set of random characters so that your prefix looks something like this: wp_YWfn6Z4C_

3. Disable file editing in the admin area

WordPress is designed for easy, convenient editing. And while that’s a good thing for many people, it can leave you open to security issues.

One example is that an admin can edit or modify the theme’s files. The same is true for plugins.

Once an attacker has access to the admin area of your website, they can edit the files of your site and do great damage in very little time. You can disable the ability to make changes to these files with one minor change to your configuration file.

Access your root folder, find the file wp-config.php, and copy and paste the code below into your configuration file right above the line that tells you to stop editing.

define('DISALLOW_FILE_EDIT', true);

Save and upload your change. As you can see in the screenshot below, the Theme Editor option is no longer visible, and the same goes for the Plugin editor under the Plugins section.

You will no longer have the ability to edit any files via the dashboard. Instead, you can use an FTP client or cPenal, which are more secure.

This simple security patch can help keep your website files safe if a hacker accesses your dashboard.

Plus, this is quite easy to reverse if you later decide you want your admins to have the ability to edit files within WordPress.

4. Monitor error logs and activity

Monitoring your error logs within your hosting platform can give you valuable information about who is trying to access your website.

To check your error logs, log in to your cPenal and go to Error Logs and Raw Access (activity logs).

Note: If you are not using cPenal, contact your host, and they should be able to provide access to the Error Logs.

If you’re seeing malicious activity in these reports, you’ll want to ensure you ban these users to prevent further attempts. Bots and other malicious users that are constantly pinging your website can slow it down for your real visitors.

The easiest way to stop these access requests is to install the WP-Ban plugin, or something similar. Once you have the plugin and it is activated within your website, visit the Settings menu and then click Ban.

Here you can update the settings within your plugin. Pulling from your error logs, you can add the IP addresses that have been trying to maliciously access your website. Once you save the changes, that user will be presented with the ban message and will be banned from your site.

5. Monitoring file changes

To ensure the only changes occurring on your website are the ones you and your team are making, you want to monitor any file changes.

A simple way of doing this is to use the Website File Changes Monitor plugin.

The plugin will scan your website and will track three types of file changes: additions, modifications, and deletions.

To ensure the plugin is properly installed and ready to go, you should run some tests by deleting a plugin, installing a new one, or editing a few files on your website. The Website File Changes Monitor plugin should record all these changes on our website.

6. Update plugins, themes, and WordPress core files

This is the easiest task. Make sure all your plugins, themes, and WordPress core files are up to date. You can update them manually, or for plugins, you can set up automatic updates in the WordPress backend or through your host.

Note: We strongly recommend you update them manually, just in case there is an issue with a plugin.

To set up automatic updates for plugins inside the WordPress admin area, you would need to go to Plugins and click on Enable auto-updates, as you see in the screenshot below.

7. Lock down the login page to secure a WordPress website from hackers

The best solution would be to hide your login page from the public. You can use the following plugins to achieve that:

1. WPS Hide Login – a lightweight and simple plugin.
2. WP Ghost – Includes reCAPTCHA, math quize and many other advanced features.
3. Hide My WP – affordable, one-time payment option with advanced features.

To further strengthen the security of your login page, add reCAPTCHA or a math quiz, and make sure to use a strong username and password. We recommend using special characters, numbers, and a combination of uppercase and lowercase letters.

For more advanced WordPress login page protection, follow this article: How to protect WordPress Admin and Login sections

Securing your WordPress website can be done in less than an hour and without hiring a developer. There’s no reason not to take these 7 important steps to ensure the protection of everything you’ve built!